Red binary code background with open padlock showing breached credentials and ransomware

Breached Credentials Remain the Key Entry Point Behind Rising Ransomware Attacks

Ransomware attacks can take many forms. A customer service user may have problems opening a file they regularly access, or they may receive a pop-up alerting them that all files are encrypted. They alert the IT admin, who confirms the ransomware attack. Power to the infected computer is pulled and management is contacted. It is quickly decided to start powering down workstations and disconnecting remote sites. They parse through server-side data and identify which resources have been affected. Due to their quick action, the attack is limited to two servers, with little business-critical data.

IT begins reimaging machines that showed signs of ransomware, or any other suspicious behavior. Data on the affected servers is restored from backups. Once the forensic investigation begins to determine the initial attack vector, it turns out the attackers infiltrated an RDP server on the perimeter using compromised credentials. To prevent the same attack from happening again, they need to make sure that there are no compromised accounts in the organization. The decision is made to force passwords changes at the next login.

Ransomware – a growing threat

According to IAPP, almost half of all data breaches in 2022 began with stolen credentials and ransomware damages are expected to exceed $30 billion worldwide in 2023.  There are three new developments in ransomware that make it scarier than previous years. These include the following:

  1. Data leak and “double extortion”
  2. Initial Access Brokers (IABs)
  3. Ransomware-as-a-Service (RaaS)
1. Data leak and “double extortion”

Many businesses are using enterprise backups to allow data recovery in the event of an attack. As a result, ransomware groups are no longer just demanding ransom payment for decrypting critical data. They also require a ransom to keep your data from being leaked.

Attack groups are now leaking confidential files, documents, databases, and other information when businesses fail to pay. Hence, the term double extortion defines the initial ransom demand for decrypting files, and the subsequent ransom demand for preventing your data from being leaked.

2. Initial Access Brokers (IABs)

The Initial Access Broker (IAB) market is booming on the dark web. The IAB market generally offers credentials for a price based on the type of credentials, the access level of the credentials, and the organization’s size. IABs allow ransomware attack groups to access legitimate, high-level credentials for targeted businesses. With access to legitimate credentials, attack groups can simply “walk into the network” with little effort and start exfiltrating data to set up for the double extortion demand.

3. Ransomware-as-a-Service (RaaS)

Ransomware-as-a-Service (RaaS) is another development leading to higher numbers of attacks. RaaS has made ransomware attacks available so that anyone with little technical experience can carry out an attack.

Attackers can consume ransomware services without worrying about developing the code or maintaining the underlying infrastructure.

Breached password protection is critical

Ransomware attacks often start with breached credentials. What can companies do to protect themselves? Most cyber security authorities agree that legacy password policies are not enough.

The password policy found in Active Directory has no built-in breached password protection, and it is limited in what it can provide in password filtering. You can download a free tool, Specops Password Auditor, that scans your Active Directory and identifies password-related vulnerabilities. With many breaches resulting from compromised passwords, leaked passwords are an entry point for attackers and this tool scans and checks a list of over 875 million passwords.

Specops Password Policy extends the functionality of Group Policy and simplifies the management of fine-grained password policies. It also blocks the use of over 2 billion known breached passwords, is fully customizable with blocklists and dictionaries, and provides dynamic end-user feedback at password change. If you’re looking for a long-term solution to weak credentials in your Active Directory, you can test it out for free and see if it’s a good fit for your organization.